ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Setup claw.tech

v1.0.3

Use when setting up a new claw agent with tapes.dev telemetry and clawtel leaderboard reporting. Installs tapes, clawtel, and the openclaw-in-a-box orchestra...

0· 128·0 current·0 all-time
byBrian Douglas@bdougie

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bdougie/clawtech-setup.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Setup  claw.tech" (bdougie/clawtech-setup) from ClawHub.
Skill page: https://clawhub.ai/bdougie/clawtech-setup
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: curl
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install clawtech-setup

ClawHub CLI

Package manager switcher

npx clawhub@latest install clawtech-setup
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim to install tapes, clawtel, and an 'openclaw-in-a-box' skill; the SKILL.md indeed downloads/installs those components. However the SKILL.md metadata includes an install URL for tapes (https://download.tapes.dev/install) even though the registry summary listed no install spec — a mild inconsistency. Asking the user to register at claw.tech for CLAW_ID and CLAW_INGEST_KEY is coherent with a telemetry/leaderboard setup, but those env vars are not declared in the skill's top-level requirements, which is a mismatch.
!
Instruction Scope
Runtime instructions tell the agent/user to run a remote shell installer (curl -fsSL https://download.tapes.dev/install | bash), download and extract a binary and move it to /usr/local/bin, clone or fetch SKILL.md from raw.githubusercontent.com, and set CLAW_ID/CLAW_INGEST_KEY environment variables. Those actions are within the stated setup scope, but they grant the remote installers high discretion (they run arbitrary shell code) and require writing system-wide binaries/config. The skill claims clawtel only reads token-count columns, but that is an unverifiable claim in this instruction-only asset.
!
Install Mechanism
The installer uses a curl | bash pattern against https://download.tapes.dev/install (a domain that is not an obvious widely-audited release host). Curl|bash is high-risk because it executes remote shell content without requiring the user to inspect it. The clawtel binary comes from GitHub releases (expected), and fetching raw SKILL.md from raw.githubusercontent.com is normal, but the initial shell installer URL should be audited before use.
Credentials
The registry lists no required env vars, but the instructions require the user to set CLAW_ID and CLAW_INGEST_KEY (sensitive ingest key). Requiring those keys is logical for reporting telemetry, but the skill should declare them. The instructions assert that no key = no network calls for clawtel, and that clawtel only reads limited DB columns; those security claims are unverifiable from the SKILL.md alone.
Persistence & Privilege
always:false and autonomous invocation are normal. The install steps move a binary to /usr/local/bin (system-wide path) and write a skills/ directory, which require elevated privileges or user consent — reasonable for a CLI install but worth noting. The skill does not request permanent 'always' presence or attempt to modify other skills' configs in this SKILL.md.
What to consider before installing
Before installing, review and verify the remote installer and binaries: 1) Do not run curl | bash without inspecting the script—download https://download.tapes.dev/install in your browser or via curl -fsSL to a local file and read it first. 2) Confirm download.tapes.dev is trusted for your environment; prefer official release archives signed or hosted on well-known repos if available. 3) The setup moves a binary into /usr/local/bin (requires sudo); consider installing into a user-local bin or verifying the binary's checksum. 4) CLAW_INGEST_KEY is a secret shown once—store it securely (env var or system keychain), and be aware reporting/telemetry will send aggregated counts to claw.tech per the instructions. 5) Fetch and inspect the openclaw-in-a-box SKILL.md before handing off orchestration. 6) If you aren't comfortable with remote installers or system-wide changes, run this in an isolated VM or container first. Finally, ask the skill author (or documentation) for: a reproducible audit of what the tapes installer does, a checksum/signature for the clawtel binary, and a declaration of required env vars in the registry metadata to resolve the inconsistency.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
Binscurl
latestvk9736p1k8awt76sm440fwyvexn83x5pd
128downloads
0stars
4versions
Updated 4w ago
v1.0.3
MIT-0
Brian Douglas@bdougie
latest
Download

clawtech-setup

Set up a claw agent with tapes.dev telemetry, clawtel leaderboard reporting, and the openclaw-in-a-box orchestrator.

What this installs

  1. tapes.dev — records every AI request/response into a local SQLite store for search, audit, and replay
  2. clawtel — reads aggregate token counts from tapes and reports them to the claw.tech leaderboard hourly
  3. openclaw-in-a-box — orchestrator skill that configures integrations and boots an OpenClaw agent

Step 1: Install tapes

command -v tapes && tapes --version || curl -fsSL https://download.tapes.dev/install | bash

If the curl install fails, try: brew install papercomputeco/tap/tapes

Then initialize:

tapes init

Skip tapes init if ~/.tapes/ already exists.

Step 2: Install clawtel

Detect platform and download the latest release:

OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m); [ "$ARCH" = "x86_64" ] && ARCH="amd64"; [ "$ARCH" = "aarch64" ] && ARCH="arm64"
curl -fsSL "https://github.com/bdougie/clawtel/releases/latest/download/clawtel_${OS}_${ARCH}.tar.gz" | tar xz
mv clawtel /usr/local/bin/

Or build from source:

git clone https://github.com/bdougie/clawtel.git && cd clawtel
CGO_ENABLED=0 go build -ldflags="-s -w" -o clawtel .
mv clawtel /usr/local/bin/

Step 3: Register your claw and configure clawtel

Register your claw at claw.tech/setup to receive a CLAW_ID (uuid) and CLAW_INGEST_KEY (ik_...). The ingest key is shown once and cannot be retrieved again.

export CLAW_ID="your-claw-uuid"
export CLAW_INGEST_KEY="ik_your_key_here"

clawtel finds your tapes database automatically:

  1. TAPES_DB env var (explicit override)
  2. .mb/tapes/tapes.sqlite (openclaw-in-a-box layout)
  3. ~/.tapes/tapes.sqlite (standalone tapes install)

Start clawtel:

clawtel

It logs its configuration on startup and sends one heartbeat per hour. Stop with Ctrl+C.

Security: clawtel only reads 4 columns from the tapes nodes table: created_at, model, prompt_tokens, completion_tokens. It never reads prompts, responses, tool calls, or project names. No key = no network calls.

Step 4: Fetch openclaw-in-a-box skill

mkdir -p skills/openclaw-in-a-box
curl -fsSL https://raw.githubusercontent.com/papercomputeco/openclaw-in-a-box/main/SKILL.md \
  -o skills/openclaw-in-a-box/SKILL.md

Verify: head -5 skills/openclaw-in-a-box/SKILL.md should show name: openclaw-in-a-box.

Step 5: Verify and hand off

Print a status summary:

clawtech-setup complete:
  tapes:     [version] installed
  tapes db:  ~/.tapes/tapes.sqlite
  clawtel:   installed, CLAW_ID set, CLAW_INGEST_KEY set
  openclaw:  skills/openclaw-in-a-box/SKILL.md

Next: invoke the openclaw-in-a-box skill to configure integrations.

Then hand off to openclaw-in-a-box. That skill handles environment detection, model provider selection, integration setup, and booting the agent.

Updating

# Update openclaw-in-a-box skill
curl -fsSL https://raw.githubusercontent.com/papercomputeco/openclaw-in-a-box/main/SKILL.md \
  -o skills/openclaw-in-a-box/SKILL.md

# Update clawtel binary
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m); [ "$ARCH" = "x86_64" ] && ARCH="amd64"; [ "$ARCH" = "aarch64" ] && ARCH="arm64"
curl -fsSL "https://github.com/bdougie/clawtel/releases/latest/download/clawtel_${OS}_${ARCH}.tar.gz" | tar xz
mv clawtel /usr/local/bin/

Rules

  • Never store secrets in files. Tokens go in env vars or system keychains.
  • Don't start tapes serve automatically — ask the user first.
  • After setup, hand off to openclaw-in-a-box. Don't duplicate its orchestration logic.

Comments

Loading comments...